DOCSLIB.ORG

Ransomware: Your Money Or Your (Life) Files

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four. Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and oine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat. Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and WHITEPAPER started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 Your Money or Your Life Files would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear. 2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted.
Recommended publications
  • Ransom Where?

    Ransom Where?

    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
  • The Evolution of Ransomware

    The Evolution of Ransomware

    The evolution of ransomware SECURITY RESPONSE The evolution of ransomware Kevin Savage, Peter Coogan, Hon Lau Version 1.0 – August 6, 2015 Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. CONTENTS OVERVIEW ..............................................................................3 Key information ......................................................................5 Types of ransomware .............................................................5 How ransomware has evolved ...............................................7 Targets for ransomware .......................................................13 Systems impacted by ransomware ......................................14 Ransomware: How it works ..................................................18 Ransom techniques ..............................................................27 How widespread is the problem of ransomware .................33 What does the future hold for ransomware? .......................37 Conclusion ............................................................................45 Appendix ..............................................................................47 Mitigation strategies ............................................................51 Symantec detections for common ransomware families 54 Resources .............................................................................56 OVERVIEW Never before in the history of human kind have people across the world been
  • Watch out for Fake Virus Alerts

    Watch out for Fake Virus Alerts

    State of West Virginia Cyber Security Tip ALERT West Virginia Office of Information Security and Controls – Jim Richards, WV Chief Information Security Officer WATCH OUT FOR FAKE VIRUS ALERTS Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective (i.e. free virus scan) but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions. How does rogue security software get on my computer? Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web. The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer. Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer. What does rogue security software do? Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect. Some rogue security software might also: Lure you into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program).
  • ESET Observed That the Focus of Android Ransomware Operators Cybercriminals, Even Though It Had Been Around for Many Years Before

    ESET Observed That the Focus of Android Ransomware Operators Cybercriminals, Even Though It Had Been Around for Many Years Before

    TRENDS IN ANDROID RANSOMWARE Authors Robert Lipovský – Senior Malware Researcher Lukáš Štefanko – Detection Engineer Gabriel Braniša – Malware Researcher The Rise of Android Ransomware Contents SUMMARY 2 RANSOMWARE ON ANDROID 2 Common infection vectors 3 Malware c&c communication 3 Malware self-protection 4 ANDROID RANSOMWARE CHRONOLOGY 5 Android defender 5 Ransomware meets fake av, meets…porn 7 Police ransomware 8 Simplocker 9 Simplocker distribution vectors 9 Simplocker in English 10 Lockerpin 11 Lockerpin’s aggressive self–defense 12 Jisut 13 Charger 15 HOW TO KEEP YOUR ANDROID PROTECTED 15 – 1 – The Rise of Android Ransomware SUMMARY RANSOMWARE ON ANDROID 2016 brought some interesting developments to the Android ransomware Ransomware, as the name suggests, is any type of malware that demands scene Ransomware is currently one of the most pressing cybersecurity a sum of money from the infected user while promising to “release” issues across all platforms, including the most popular mobile one a hijacked resource in exchange There are two general categories of malware that fall under the “ransomware” label: Authors of lock-screen types as well as file-encrypting “crypto-ransomware” have used the past 12 months to copycat effective techniques from desktop • Lock-screen ransomware malware, as well as develop their own sophisticated methods specialized • Crypto-ransomware for targets running Android devices In lock-screen types of ransomware, the hijacked resource is access to the In addition to the most prevalent scare tactics used by lock-screen
  • Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown

    Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown

    Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown Colin C. Ife¢, Yun Sheny, Steven J. Murdoch¢, and Gianluca Stringhiniz ¢University College London, yNorton Research Group, zBoston University ¢yUnited Kingdom, zUnited States {colin.ife,s.murdoch}@ucl.ac.uk,[email protected],[email protected] ABSTRACT 1 INTRODUCTION The malware and botnet phenomenon is among the most signif- Malware delivery has evolved into a major business for the cyber- icant threats to cybersecurity today. Consequently, law enforce- criminal economy and a complex problem for the security commu- ment agencies, security companies, and researchers are constantly nity. The botnet – a network of malware-infected devices that is seeking to disrupt these malicious operations through so-called controlled by a single actor through one or more command and takedown counter-operations. Unfortunately, the success of these control (C&C) servers – is one phenomenon that has benefited takedowns is mixed. Furthermore, very little is understood as to from the malware delivery revolution. Diverse distribution vectors how botnets and malware delivery operations respond to takedown have enabled such malicious networks to expand more quickly and attempts. We present a comprehensive study of three malware de- efficiently than ever before. Once established, these botnets canbe livery operations that were targeted for takedown in 2015–16 using leveraged to commit a wide array of secondary computer crimes, global download metadata provided by Symantec. In summary, we such as data theft, financial fraud, coercion (ransomware), send- found that: (1) Distributed delivery architectures were commonly ing spam messages, distributed denial of service (DDoS) attacks, used, indicating the need for better security hygiene and coordina- and unauthorised cryptocurrency mining [1, 14, 17, 47, 48].

  • Mcafee Labs Threats Report August 2014

    McAfee Labs Threats Report August 2014 Heartbleed Heartbleed presents a new cybercrime opportunity. 600,000 To-do lists The Heartbleed vulnerability Lists of Heartbleed-vulnerable exposed an estimated 600,000 websites are helpful to users but websites to information theft. can also act as “to-do” lists for cyber thieves. Unpatched websites Black market Despite server upgrades, many Criminals continue to extract websites remain vulnerable. information from Heartbleed- vulnerable websites and are selling it on the black market. McAfee Phishing Quiz Phishing continues to be an effective tactic for infiltrating enterprise networks. Average Score by Department (percent of email samples correctly identified) Only 6% of all test takers correctly 65% identified all ten email samples as phishing or legitimate. 60% 80% 55% of all test takers fell for at least one of the seven phishing emails. 50% 88% of test takers in Accounting & 0 Finance and HR fell for at least one of the seven phishing emails. Accounting & Finance Human Resources Other Departments The McAfee Phishing Quiz tested business users’ ability to detect online scams. Operation Tovar During Operation Tovar—The Gameover Zeus and CryptoLocker takedown: For CryptoLocker For Gameover Zeus more than 125,000 more than 120,000 domains were blocked. domains were sinkholed. Since the announcement of Operation Tovar: 80,000 times Copycats ****** McAfee Stinger, a free ****** are on the rise, creating tool that detects and ****** new ransomware or removes malware financial-targeting (including Gameover Zeus malware using the leaked and CryptoLocker), was Zeus source code. downloaded more than 80,000 times. McAfee joined global law enforcement agencies and others to take down Gameover Zeus and CryptoLocker.
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
  • Solution Brief Recovering from Ransomware with Barracuda Backup

    Solution Brief Recovering from Ransomware with Barracuda Backup

    Solution Brief Recovering from Ransomware with Barracuda Backup Ransomware is a malware variant that locks an end user’s computer or encrypts their files, then demands a sum of money to allow access or decryption. What’s worse, if an organization hands over the cash, there are often times when the attacker doesn’t play nice and still withholds the key even after payment. Ransomware is problematic for businesses because it not only results in financial loss, but also tainted credibility and lost productivity. However, this situation can be avoided if your organization has taken the steps to implement a ransomware prevention plan. In this solution brief, we will discuss some of the steps you can take to prevent ransomware attacks, as well as how to quickly recover from them using Barracuda Backup. Introduction Due to the sophistication of today’s threat landscape, ransomware can be difficult to catch right at the door. Once this malicious malware crosses the threshold, a business user is hit by a daunting message, informing the user that their computer and files have been seized, and payment is required. What’s equally perturbing is that ransomware doesn’t discriminate—it can happen to the mom and pop shops to large enterprises. It’s not a matter of if a business will get hit, but when. Protecting Your Organization from Ransomware Attackers have created many different variations of ransomware over the past few years, such as CryptoLocker, CryptoWall, TorrentLocker, TeslaCrypt, Locky, Petya, WannaCry, Bad Rabbit, and Samas. Each of these variations use new methods of infecting their victims’ computers, thereby compromising the data and network of many organizations worldwide.
  • Android Malware Category and Family Detection and Identification Using Machine Learning

    Android Malware Category and Family Detection and Identification Using Machine Learning

    Android Malware Category and Family Detection and Identification using Machine Learning Ahmed Hashem El Fiky1*, Ayman El Shenawy1, 2, Mohamed Ashraf Madkour1 1 Systems and Computer Engineering Dept., Faculty of Engineering, Al-Azhar University, Cairo, Egypt. 1 Systems and Computer Engineering Dept., Faculty of Engineering, Al-Azhar University, Cairo, Egypt. 2 Software Engineering and Information Technology, Faculty of Engineering and Technology, Egyptian Chinese University, Cairo, Egypt. [email protected] [email protected] [email protected] Abstract: Android malware is one of the most dangerous threats on the internet, and it's been on the rise for several years. Despite significant efforts in detecting and classifying android malware from innocuous android applications, there is still a long way to go. As a result, there is a need to provide a basic understanding of the behavior displayed by the most common Android malware categories and families. Each Android malware family and category has a distinct objective. As a result, it has impacted every corporate area, including healthcare, banking, transportation, government, and e-commerce. In this paper, we presented two machine- learning approaches for Dynamic Analysis of Android Malware: one for detecting and identifying Android Malware Categories and the other for detecting and identifying Android Malware Families, which was accomplished by analyzing a massive malware dataset with 14 prominent malware categories and 180 prominent malware families of CCCS-CIC- AndMal2020 dataset on Dynamic Layers. Our approach achieves in Android Malware Category detection more than 96 % accurate and achieves in Android Malware Family detection more than 99% accurate. Our approach provides a method for high-accuracy Dynamic Analysis of Android Malware while also shortening the time required to analyze smartphone malware.
  • A Poisoned Apple: the Analysis of Macos Malware Shlayer By: Minh D

    A Poisoned Apple: the Analysis of Macos Malware Shlayer By: Minh D

    A Poisoned Apple: The Analysis of macOS Malware Shlayer by: Minh D. Nguyen Abstract Historically, the Microsoft Windows operating system family, which currently runs on more than 70 percent of computers in the world,7 has been the main target for malware. However, with the growing popularity of Apple’s MacBook products, the macOS operating system has become a new platform for attackers to target the general computer users. According to the 2016/2017 Security Report of AV-TEST, the number of malware samples for macOS detected in 2016 has increased by an astonishing 370 percent compared to the same figure in 2015.3 In order to address the rising interest of attackers in the macOS operating system, this project provides an analysis of a newly discovered malware for macOS, Shlayer, to reveal a well- known tactic that attackers can utilize to infect machines running on any operating system, and discusses possible countermeasures for this strategy. I. Introduction macOS is often hailed as a more secure operating system compared to its counterpart Microsoft Windows.2 However, in reality, many attacking techniques targeting Windows machines can also be applied to macOS machines. The analysis of the new Shlayer malware, discovered by researchers of Intego in February 2018,1 will reveal a familiar strategy that attackers often utilize to target victim machines without regards of the operating system. With the worldwide growth of macOS usage, it is important to recognize this attacking method and understand that in many cases, the success of an attack does not depend on the security of the operating system but on the awareness of the user.
  • Cyren's 2016 Cyberthreat Report

    Cyren's 2016 Cyberthreat Report

    2016 CYBERTHREAT Report AUTOMATED THREAT INTELLIGENCE: The Key to Preventing, Mitigating, and Identifying Cyber Breaches Introduction .................................................................................................4 The Cloud Sandbox Array: A New Tool Against Cybercrime .....................6 The Benefits of Big Data .......................................................................... 12 2016 Predictions....................................................................................... 14 Malware Newsmakers of 2015 ................................................................ 16 The Criminal Power of the Unknown ...................................................... 22 2015 Statistics: Android, Phishing, Malware, Spam ............................... 26 Table of Contents Table CYREN 2016 CYBERTHREAT REPORT 3 INTRODUCTION Lior Kohavi Chief Technical Officer, CYREN, Inc. There is a false perception that sophisticated attacks are too difficult to prevent and the only alternative is detection. But detection is NOT the new prevention. Cybersecurity professionals must make it their mission to STOP attacks, not just become proficient at detecting them. It's no secret that cybercriminals are willing to spend a lot of time and money to obtain the information they desire. And, the risk that these criminals will be caught and convicted is relatively low. Despite well-publicized botnet takedowns, like that of Darknode this past July, researchers estimate that less than 1% of cybercrimes receive a corresponding conviction.
  • Detecting Malware in TLS Traffic

    Detecting Malware in TLS Traffic

    IMPERIAL COLLEGE LONDON DEPARTMENT OF COMPUTING Detecting Malware in TLS Traffic Project Report Supervisor: Author: Sergio Maffeis Olivier Roques Co-Supervisor: Marco Cova Submitted in partial fulfillment of the requirements for the MSc degree in Computing Science / Security and Reliability of Imperial College London September 2019 Abstract The use of encryption on the Internet has spread rapidly these last years, a trend encouraged by the growing concerns about online privacy. TLS (Transport Layer Security), the standard protocol for packet encryption, is now implemented by every major websites to protect users’ messages, transactions and credentials. However cybercriminals have started to incorporate TLS into their activities. An increasing number of malware leverage TLS encryption to hide their communications and to exfiltrate data to their command server, effectively bypassing traditional detection platforms. The goal of this project is to design and implement an effective alternative to the unpractical method of decrypting TLS packets’ payload before looking for signs of malware activity. This work presents a highly accurate supervised classifier that can detect malicious TLS flows in a company’s network traffic based on a set of features related to TLS, certificates and flow metadata. The classifier was trained on curated datasets of benign and malware observations, which were extracted from capture files thanks to a set of tools specially developed for this purpose. We detail in this report the complete development process, from data collection and feature extraction to model selection and performance analysis. ii Acknowledgments I would like to particularly thank Marco Cova and Sergio Maffeis, my project su- pervisors, for their valuable and continuous suggestions and for their constructive feedbacks on this project.